b' DEPARTMENT OF HOMELAND SECURITY\n\n           Office of Inspector General\n\n\n   Better Administration of Automated Targeting\n        System Controls Can Further Protect\n         Personally Identifiable Information\n                     (Redacted)\n\n\n\n\n NOTICE: The Department of Homeland Security, Office of Inspector General (OIG), has redacted this report for\n public release. A review under the Freedom of Information Act will be conducted upon request.\n\n\n\n\nOIG-08-06                                                                  October 2007\n\x0c                                                                       Office of Inspector General\n\n                                                                       U.S. Department of Homeland Security\n                                                                       Washington, DC 20528\n\n\n\n\n                                          October 16, 2007\n\n\n                                             Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by\nthe Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General\nAct of 1978. This is one of a series of audit, inspection, and special reports prepared as part of our\noversight responsibilities to promote economy, efficiency, and effectiveness within the department.\n\nThis report addresses the adequacy and effectiveness of the department\xe2\x80\x99s protection of personally\nidentifiable information (PII) collected, transmitted, and stored in Customs and Border Protection\xe2\x80\x99s\n(CBP) Automated Targeting System (ATS). It includes an evaluation of the operational and system\ncontrols implemented to reduce the risks associated with the loss, misuse, unauthorized access to, or\nmodification of PII captured and stored in ATS. Our review was based on direct observations,\nsystem security vulnerability assessments, queries of ATS user data, and analyses of applicable\ndocuments. We obtained additional supporting information through interviews with employees and\nofficials located in CBP\xe2\x80\x99s Program Office, Office of Field Operations, and Office of Information\nTechnology.\n\nThe recommendations herein have been developed to the best knowledge available to our office, and\nhave been discussed in draft with those responsible for implementation. It is our hope that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                             Richard L. Skinner\n                                             Inspector General\n\x0cTable of Contents/Abbreviations\n\n\nExecutive Summary ............................................................................................................................. 1\n\n     Background .................................................................................................................................... 2\n\n     Results of Audit ............................................................................................................................. 4\n\n            Effective Privacy Controls Implemented ........................................................................... 4\n               Operational Controls ......................................................................................................... 5\n               System Security Controls .................................................................................................. 5\n\n            Administrative Oversight Concerns ................................................................................... 6\n              Periodic Reviews of User Access to ATS-P ..................................................................... 6\n              Configuration Management............................................................................................... 7\n\n            Recommendations .................................................................................................................. 9\n\n            Management Comments and OIG Analysis........................................................................... 9\n\n\nAppendices\n     Appendix A:            Purpose, Scope, and Methodology ..................................................................... 11\n     Appendix B:            Management\xe2\x80\x99s Response.................................................................................... 13\n     Appendix C:            Summary of Significant Security Vulnerabilities Identified and Potential\n                            Threats ..................................................................................................................16\n     Appendix D:            Major Contributors to This Report..................................................................... 17\n     Appendix E:            Report Distribution............................................................................................. 18\n\n\nAbbreviations\n     ATS                                               Automated Targeting System\n     ATS-P                                             Automated Targeting System -Passenger\n     CBP                                               Customs and Border Protection\n     CSIRC                                             Computer Security Incident Response Center\n     DHS                                               Department of Homeland Security\n     OIG                                               Office of Inspector General\n     PIA                                               Privacy Impact Assessment\n     PII                                               Personally Identifiable Information\n     SQL                                               Structured Query Language\n\n\n                Better Administration of Automated Targeting System Controls Can Further Protect Personally Identifiable Information\n\x0cOIG\nDepartment of Homeland Security\nOffice of Inspector General\n\n\nExecutive Summary\n                       The Automated Targeting System (ATS) is an information system that\n                       captures and stores personally identifiable information (PII), and is one of the\n                       most advanced targeting systems in the world. Customs and Border\n                       Protection (CBP) officers use the system to effectively and efficiently identify\n                       cargo, individuals, or conveyances that may present a risk to the United States\n                       and its citizens.\n\n                       We evaluated whether the Department of Homeland Security is protecting the\n                       PII collected, transmitted, and stored within ATS. In addressing our audit\n                       objective, we focused on specific controls implemented for the ATS\xe2\x80\x99\n                       passenger database. The passenger database of ATS contains the majority of\n                       PII stored within ATS that is used in CBP\xe2\x80\x99s targeting efforts.\n\n                       Generally, CBP has implemented robust operational and system security\n                       controls to protect the PII contained within ATS. These controls are outlined\n                       in the Privacy Impact Assessment for the Automated Targeting System and\n                       provide for the protections needed to secure its data. CBP is effectively\n                       employing these controls in protecting individuals\xe2\x80\x99 PII. Control measures,\n                       based on user\xe2\x80\x99s roles and responsibilities, have been established for granting\n                       access to system data. Additionally, all users are required to receive initial\n                       and refresher computer security and privacy awareness training in order to\n                       obtain and retain system access. Furthermore, network protection\n                       mechanisms, such as firewalls and encryption, have been deployed to protect\n                       the transmission of PII that is stored in ATS\xe2\x80\x99 passenger database.\n\n                       While a number of ATS controls have been implemented, CBP management\n                       still needs to ensure that other established controls are better used in the\n                       protection of PII. Specifically, management should ensure that periodic\n                       reviews of users\xe2\x80\x99 access privileges are being conducted and that user\n                       privileges granted were properly authorized; user accounts that have not been\n                       accessed within 90 days are disabled; and CBP\xe2\x80\x99s Office of Internal Affairs\n                       independently conduct internal reviews of user access according to\n                       department and component policies. In addition,\n\n\n       Better Administration of Automated Targeting System Controls Can Further Protect Personally Identifiable Information\n\n                                                             Page 1\n\x0c             management needs to remediate the system security vulnerabilities we\n             detected pertaining to passwords and critical security patches.\n\n             We recommended that the Commissioner direct CBP\xe2\x80\x99s Offices of Field\n             Operations and Internal Affairs to review access control lists to ensure they\n             are current, and disable user accounts that have not been used in 90 days. We\n             also recommended that CBP\xe2\x80\x99s Chief Information Officer address the system\n             security vulnerabilities identified.\n\n             In response to our draft report, CBP concurred with our recommendations.\n             CBP\xe2\x80\x99s response is summarized and evaluated in the body of this report and\n             included, in its entirety, as Appendix B.\n\nBackground\n             The public\xe2\x80\x99s sensitivity to the protection of PII heightened and generated\n             concerns in the post 9/11 era. Many agencies capture PII and store it on their\n             information systems, which causes great anxiety for both agencies and the\n             public.\n\n             PII is defined as information in a system or online collection that directly or\n             indirectly identifies a specific individual. PII includes information about an\n             individual\xe2\x80\x99s education, financial transactions, medical history, criminal or\n             employment history, and other information that can be used to distinguish or\n             trace an individual\xe2\x80\x99s identity, such as their name, Social Security Number,\n             date and place of birth, mother\xe2\x80\x99s maiden name, and biometric records,\n             including fingerprints.\n\n             One of the systems storing PII is ATS, which became operational within CBP\n             in 1993. ATS is the cornerstone for all CBP targeting efforts. CBP uses ATS\n             to improve the collection, analysis, and dissemination of information that is\n             gathered for the primary purpose of targeting, identifying, and preventing\n             potential terrorists and weapons from entering the United States.\n\n             Automated Targeting System-Passenger (ATS-P), a database within ATS, is\n             deployed at all ports-of-entry (air, ship, and rail) and has been used in\n             evaluating (\xe2\x80\x9ctarget\xe2\x80\x9d) passengers prior to arrival into the United States since\n             1999. ATS-P contains PII collected directly from commercial carriers in the\n             form of a passenger name record, which is then used to target suspicious\n             individuals. ATS-P also receives various real-time information from other\n             CBP systems and law enforcement databases.\n                                                                                           .\n             The ATS architecture and data sources are depicted on the next page.\n\n\n                      Better Administration of ATS Controls Can Further Protect PII\n\n                                                 Page 2\n\x0cNote: This diagram depicts the ATS architecture and the flow of data, including passenger airline manifests, immigration\nand customs information, and passenger name record data, from multiple sources (on the right) transmitted to the ATS\napplication and into the ATS-P database. Users (on the left) access the data through a World Wide Web (i.e., Internet)\nconnection to CBP\xe2\x80\x99s local area network.\n\n                          A significant amount of data regarding passengers and crew members entering\n                          or departing the United States is collected and maintained in ATS, including\n                          name, address, dates of travel, contact information, frequent flier and benefit\n                          information, all available payment and billing information, travel itinerary,\n                          ticketing information, baggage information, passenger and crew manifests,\n                          and immigration control information. DHS has a duty to protect that\n                          information from loss and misuse. The loss or compromise of ATS data can\n                          have severe consequences, affecting national security, United States citizens,\n                          and the department\xe2\x80\x99s missions.\n\n                                     Better Administration of ATS Controls Can Further Protect PII\n\n                                                                Page 3\n\x0c               There is substantial public and foreign interest in DHS\xe2\x80\x99 collection and use of\n               ATS data and the potential privacy implications in the event of disclosure.\n               The privacy implications include:\n               \xe2\x80\xa2   Potential threats to personal information during transmission.\n               \xe2\x80\xa2   Violations of passenger rights.\n               \xe2\x80\xa2   Unauthorized access to PII stored within ATS, especially ATS-P.\n               \xe2\x80\xa2   Personal identity theft.\n\nResults of Audit\n               Overall, CBP has implemented adequate privacy and system security controls\n               over the PII collected, transmitted, and stored in ATS-P to effectively protect\n               the information from loss, misuse, unauthorized access, or modification. We\n               determined that CBP has implemented robust controls for the protection of PII\n               maintained in ATS and shared with external agencies. We also identified that\n               CBP can better administer its management and oversight to strengthen the\n               effectiveness of its privacy controls. Our audit included a review of the ATS\n               Privacy Impact Assessment (PIA) and operational and system security\n               controls implemented.\n\nEffective Privacy Controls Implemented\n               The ATS PIA, dated November 22, 2006, accurately documents the privacy\n               protections implemented to protect the PII that is collected, transmitted, and\n               stored within ATS-P. The PIA adequately describes the administrative,\n               technical, and physical controls established for storing and safeguarding PII\n               data to prevent unauthorized access. It also documents the privacy risks\n               associated with the potential misuse of PII data or breach of the system. To\n               mitigate the risks pertaining to the number of users with access to PII, the PIA\n               lists specific controls related to:\n\n               \xe2\x80\xa2   User profile management.\n               \xe2\x80\xa2   Definition of a user\xe2\x80\x99s rights and responsibilities.\n               \xe2\x80\xa2   Audit log generation to document all users\xe2\x80\x99 access to ATS.\n               \xe2\x80\xa2   Sharing of data, based on a need-to-know, case-by-case basis, consistent\n                   with federal, DHS and CBP policies, and applicable arrangements and\n                   agreements.\n               \xe2\x80\xa2   Information security and privacy awareness training.\n\n               CBP has established guidelines and procedures to ensure that ATS use is\n               consistent with the PIA and privacy policy. CBP also has implemented a\n               number of operational and system security controls to govern user access and\n               information sharing. Furthermore, CBP requires that all of its officers be\n\n                       Better Administration of ATS Controls Can Further Protect PII\n\n                                                  Page 4\n\x0ctrained on the limited uses for which ATS information may be used in\nconnection with their official duties.\n\n   Operational Controls\n\n   CBP has implemented effective operational safeguards to protect the PII\n   data within ATS, specifically ATS-P. These measures are designed to\n   reduce the risks associated with the intentional and unintentional actions\n   of system users, which could potentially result in the loss, misuse,\n   modification, or unauthorized disclosure of ATS data. For example, CBP\n   has:\n\n   \xe2\x80\xa2   Established interconnection security agreements with internal and\n       external agencies, as well as foreign countries. The agreements\n       stipulate the privacy safeguards needed to protect the transmission of\n       PII shared between the connecting information systems.\n\n   \xe2\x80\xa2   Created a formal Computer Security Incident Response Center\n       (CSIRC). All incidents of misuse of CBP systems are to be reported to\n       CBP\xe2\x80\x99s CSIRC. The CSIRC provides real-time network monitoring,\n       intrusion detection, and incident handling.\n\n   \xe2\x80\xa2   Developed security and privacy awareness training requirements. All\n       ATS users are required to receive initial computer security and privacy\n       awareness training before system access may be granted; users who\n       have system access need to attend refresher training to keep it. From a\n       random sample of      of the        ATS-P users, we determined that\n          of the users had received the required security and privacy\n       awareness training. The account for the one user who did not receive\n       the training was locked to prevent that user from any further access to\n       ATS-P.\n\n   System Security Controls\n\n   Along with operational controls, CBP has implemented technical and\n   logical access controls to effectively protect sensitive PII data in the\n   ATS-P database. The following processes are in place:\n\n   \xe2\x80\xa2   User access - Access to ATS is granted only after the completion of a\n       background investigation, the submission of a supervisor-approved\n       access request form, and the completion of initial security and privacy\n       training. Data can only be accessed using encrypted passwords and\n\n\n\n        Better Administration of ATS Controls Can Further Protect PII\n\n                                   Page 5\n\x0c                     user sign-on functionality. All users are assigned \xe2\x80\x9cRead Only\xe2\x80\x9d access\n                     to ATS-P, and all authorized access is based on a user\xe2\x80\x99s\n                     \xe2\x80\x9cneed-to-know.\xe2\x80\x9d CBP\xe2\x80\x99s process for granting ATS access limits the\n                     number of users who are allowed to view PII data and protects ATS\n                     from unauthorized changes.\n\n                 \xe2\x80\xa2   Separation of duties - CBP has clearly defined separation of duties to\n                     prevent any one person from subverting a critical process or otherwise\n                     compromise ATS system controls or data. We noted that the database\n                     administrator and programmer roles ensure a complete separation of\n                     duties between maintaining the ATS-P database and maintaining the\n                     ATS application.\n\n                 \xe2\x80\xa2   Transmission of data - CBP has implemented point-to-point encryption\n                     of information between ATS users and the ATS web servers to protect\n                     PII data in transit. The encryption device settings indicated all ATS\n                     traffic in and out of the CBP network at the National Data Center is\n                     encrypted.\n\nAdministrative Oversight Concerns\n              CBP policies and procedures clearly indicate that ATS-P user roles are highly\n              restricted and audited; however, the greatest risk to the security and privacy of\n              PII housed in ATS stems from insider threats. To ensure data is adequately\n              protected from insider threats, management has to be vigilant in protecting\n              ATS and the ATS-P database from potential misuse. To protect against\n              threats involving potential misuse, it is imperative that CBP management\n              actively monitor the administrative controls implemented to reduce security\n              risks.\n\n              Better oversight is needed to ensure that periodic reviews of user access and\n              the timely deployment of system security patches and updates occur.\n              Additionally, management needs to ensure that system security controls\n              related to the enforcement of DHS\xe2\x80\x99 password policy are properly configured\n              and implemented.\n\n              Periodic Reviews of User Access to ATS-P\n\n              CBP is not reviewing user access privileges on a periodic basis, nor are they\n              disabling user accounts after 90 days of inactivity. According to the DHS\n              4300A Sensitive Systems Handbook, supervisors have a responsibility to\n              ensure that access control lists are current and up-to-date by reviewing access\n              privileges. Information Systems Security Officers are responsible for\n\n\n                       Better Administration of ATS Controls Can Further Protect PII\n\n                                                  Page 6\n\x0censuring that access control reviews are being conducted. Furthermore, the\nATS PIA and CBP policy require that CBP management and the Office of\nInternal Affairs conduct periodic reviews of ATS and the user access control\nlist. DHS policy and the ATS System Security Plan require that CBP disable\nuser accounts after 90 days of inactivity.\n\nFrom a sample of      users with access to ATS-P,     of the    users were\ngranted privileges that they were not authorized to receive. We also analyzed\nthe ATS-P user access list to determine whether user accounts were disabled\nafter 90 days of inactivity. We identified that        users have active\naccounts although they had not logged onto the system in more than 5 months\n(October 1, 2006 to March 28, 2007). Furthermore, as of May 7, 2007, CBP\xe2\x80\x99s\nOffice of Internal Affairs had not conducted any reviews of ATS this fiscal\nyear.\n\nSince user access privileges may change over time, it is imperative that\nreviews are conducted more frequently than on an annual basis. These\nreviews should ensure that user access privileges are current and the privileges\ngranted are authorized. Users should be granted only the most restrictive set\nof privileges needed to perform tasks authorized. Furthermore, by not\ndisabling accounts after 90 days of inactivity, management is allowing users,\nwho may no longer require access to ATS, the opportunity to misuse PII.\n\nConfiguration Management\n\nGenerally, CBP has implemented configuration and logical access controls to\neffectively protect the PII data contained within ATS-P. However, additional\nmeasures could be implemented to further secure PII and comply with DHS\npolicies.\n\nConfiguration management is a set of technical controls designed to provide\nsystem administrators with tools to maintain information systems in a secure\nmanner to ensure that agency requirements are applied to specific system\nsecurity settings. These controls afford a layer of protection from internal and\nexternal threats to privacy data through the use of security mechanisms, such\nas password complexity rules, session timeouts, lockout thresholds, and\nmanufacturer-supplied security patches and updates.\n\nWe conducted system security vulnerability assessments of the ATS-P\ndatabase to identify system vulnerabilities, determine\n                              . Based on these assessments, the majority of\nhigh-risk vulnerabilities detected related to the enforcement of strong\npasswords and application of critical security patches:\n\n\n        Better Administration of ATS Controls Can Further Protect PII\n\n                                   Page 7\n\x0c\xe2\x80\xa2   ATS\xe2\x80\x99 Information Systems Security Officer did not implement DHS\xe2\x80\x99\n    policy for                 until            , after our system security\n    vulnerability assessments were completed. Our assessments detected that\n        of the         ATS-P accounts were\n               . For of those accounts, the assigned\n                      .\n\n\xe2\x80\xa2   Further,\n                       . Although CBP has                                   policies and\n    procedures,\n\n                       .\n\nAppendix C contains a summary of the high vulnerabilities identified and the\npotential threats.\n\nDHS 4300A Sensitive Systems Handbook requires                                                  ,\n\n                   .\n\n                                                                                           .\nDHS policy also requires that components\n\n                                                                   .\n\n\n                              .\n\n\n          .\n                                                           .\n                                                                        .\n\n\n                                  .\n\n                                                               .\n                                                                                     .\n\n\n\n\n        Better Administration of ATS Controls Can Further Protect PII\n\n                                      Page 8\n\x0cRecommendations\nWe recommend that the Commissioner, CBP, direct the Office of Field\nOperations and the Office of Internal Affairs to:\n\nRecommendation #1: Periodically review ATS access control lists to verify\nthat users were granted only the level of access privileges authorized.\n\nRecommendation #2: Disable ATS user accounts that have been inactive for\n90 days or perform a risk assessment to determine whether management is\nwilling to accept the risk of not disabling user accounts according to CBP\npolicies.\n\nWe recommend that the Commissioner, CBP, direct its Chief Information\nOfficer to:\n\nRecommendation #3: Address ATS security vulnerabilities regarding\n                            .\n\nManagement Comments and OIG Analysis\nCBP concurred with recommendation 1. CBP managers will review the ATS\naccess control list on at least a biannual basis to verify users have received\nonly the level of access authorized.\n\nWe agreed that the steps CBP plans to take satisfy this recommendation.\n\nCBP concurred with recommendation 2. CBP managers are conducting a\nreview to identify ATS-P user accounts that have been inactive for 90 days in\norder to disable the accounts. Subsequently, in conjunction with CBP\n                                                , CBP will implement a\nprocedure to inactivate ATS accounts that have had 30 days of\nconsecutive inactivity. CBP also will make a determination whether to seek a\nwaiver of the 30-day policy for ATS-P accounts with\n\xe2\x80\x9cQuick Query \xe2\x80\x93only\xe2\x80\x9d access.\n\nWe agreed that the steps CBP plans to take satisfy this recommendation.\n\nCBP concurred with recommendation 3.\n\n\n         .\n\n\n\n        Better Administration of ATS Controls Can Further Protect PII\n\n                                   Page 9\n\x0c                                .\n\n\n                                                                        .\n\n                                       .\n\nWe agreed that the steps CBP plans to take satisfy this recommendation.\n\n\n\n\n        Better Administration of ATS Controls Can Further Protect PII\n\n                                    Page 10\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                        The overall objective of this audit was to determine whether the department is\n                        properly protecting PII collected, transmitted, and stored in ATS.\n                        Specifically, we determined whether:\n                        \xe2\x80\xa2  ATS\xe2\x80\x99 PIA adequately depicted the operational controls implemented for\n                           protecting PII data.\n                        \xe2\x80\xa2  Operational, technical, and system logical access controls were effective\n                           in protecting ATS\xe2\x80\x99 PII data.\n\n                        Our audit focused on the controls implemented to protect the privacy of the\n                        data contained in ATS-P, which contains the majority of PII. We analyzed the\n                        security posture of the ATS-P database only. Other operational and system\n                        security controls relating to ATS\xe2\x80\x99 other modules will be tested at a later date.\n\n                        To accomplish our audit objective, we evaluated the ATS PIA and the\n                        information technology controls implemented to protect sensitive ATS data.\n                        We also reviewed:\n                        \xe2\x80\xa2   DHS 4300A Sensitive Systems Handbook (dated March 1, 2007).\n                        \xe2\x80\xa2   DHS Management Directive 0470.2 \xe2\x80\x93 Privacy Act Compliance.\n                        \xe2\x80\xa2   DHS\xe2\x80\x99                                             .\n                        \xe2\x80\xa2   CBP\xe2\x80\x99s\n                                               .\n                        \xe2\x80\xa2   The Privacy Act of 1974.\n                        \xe2\x80\xa2   Office of Management and Budget Memorandum (OMB) Memorandum\n                            M-06-15, Safeguarding Personally Identifiable Information (dated May\n                            22, 2006).\n                        \xe2\x80\xa2   OMB Memorandum M-07-16, Safeguarding Against and Responding to\n                            the Breach of Personally Identifiable Information (dated May 22, 2007).\n                            Additionally, we conducted interviews, documented on-site observations,\n                            conducted system security vulnerability testing, and performed analytical\n                            queries of ATS-P user data.\n\n                        We ensured that security and privacy awareness training policies and\n                        procedures had been established. To determine whether ATS users were\n                        complying with CBP\xe2\x80\x99s security and privacy awareness training policy, we\n                        randomly selected and analyzed the training documentation for a sample of\n                        ATS-P users.\n\n                        In determining whether the operational controls CBP implemented were\n                        effective in protecting ATS\xe2\x80\x99 PII data, we interviewed CBP personnel\n                        regarding the processes and procedures for granting access to the ATS-P\n                        database and system security. We interviewed the Privacy Office personnel\n\n                                  Better Administration of ATS Controls Can Further Protect PII\n\n                                                            Page 11\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                        regarding the handling procedures for incidents involving PII issues.\n                        Additionally, we interviewed the Office of Internal Affairs personnel\n                        regarding periodic reviews of ATS-P user access privileges and activity.\n\n                        We analyzed the ATS-P user access list to evaluate users\xe2\x80\x99 roles and privileges.\n                        We judgmentally sampled the ATS-P users to verify whether required\n                        background investigations were conducted and supervisory authorizations\n                        were submitted before granting and creating ATS user accounts.\n\n                        We conducted system security vulnerability assessments to determine whether\n                        technical and logical and access controls were effective in protecting ATS\xe2\x80\x99 PII\n                        data. We analyzed the security controls over servers, databases, and network\n                        devices that supported ATS at the                       . Furthermore, we\n                        determined that network protection mechanisms, such as firewalls and\n                        intrusion detection, had been deployed. Encryption and authentication\n                        methods used to protect ATS data were evaluated.\n\n\n\n\n                                                               .\n\n                                  .\n\n\n                                                                        .\n\n\n                                            . We coordinated our audit efforts with CBP\n                        headquarters, CBP\xe2\x80\x99s Office of Field Operations, and CBP\xe2\x80\x99s Office of\n                        Information Technology. Fieldwork was completed from March 2007\n                        through July 2007 under the authority of the Inspector General Act of 1978, as\n                        amended, and according to generally accepted government auditing standards.\n                        Major OIG contributors to the audit are identified in Appendix D.\n\n                        The principal OIG points of contact for the audit are Frank W. Deffer,\n                        Assistant Inspector General, Information Technology Audits, at\n                        (202) 254-4100, and Edward G. Coleman, Director, Information Security\n                        Audit Division, at (202) 254-5444.\n\n\n\n\n                                      Better Administration of ATS Controls Can Further Protect PII\n\n                                                                   Page 12\n\x0cAppendix B\nManagement\xe2\x80\x99s Response\n\n\n\n\n                        Better Administration of ATS Controls Can Further Protect PII\n\n                                                  Page 13\n\x0cAppendix B\nManagement\xe2\x80\x99s Response\n\n\n\n\n                        Better Administration of ATS Controls Can Further Protect PII\n\n                                                  Page 14\n\x0cAppendix B\nManagement\xe2\x80\x99s Response\n\n\n\n\n                        Better Administration of ATS Controls Can Further Protect PII\n\n                                                  Page 15\n\x0cAppendix C\nSummary of Significant Security Vulnerabilities Identified and Potential Threats\n\n\n\n\n                                            High Risk Vulnerabilities\n\n      Vulnerability                                                                     Potential Threats\n\n                                                               \xe2\x88\x9a\n\n                                                               \xe2\x88\x9a\n\n                                        \xe2\x88\x9a\n\n                                        \xe2\x88\x9a\n\n                                        \xe2\x88\x9a\n\n                                        \xe2\x88\x9a\n\n                                                               \xe2\x88\x9a\n\n\n                                                               \xe2\x88\x9a\n\n                                                               \xe2\x88\x9a\n\n                                                               \xe2\x88\x9a\n\n                                                               \xe2\x88\x9a\n\n                                                               \xe2\x88\x9a\n\n                                                               \xe2\x88\x9a\n\n                                                               \xe2\x88\x9a\n\n                                                               \xe2\x88\x9a\n\n                                                               \xe2\x88\x9a\n\n                                                               \xe2\x88\x9a\n\n\n\n\n                                     Better Administration of ATS Controls Can Further Protect PII\n\n                                                               Page 16\n\x0cAppendix D\nMajor Contributors to This Report\n\n\n                         Information Security Audit Division\n                         Edward G. Coleman, Director\n                         Barbara Bartuska, Audit Manager\n                         Tarsha Ross, Senior IT Auditor\n                         Mike Horton, IT Specialist\n                         Swati Mahajan, IT Specialist\n                         Thomas Rohrback, Management and Program Assistant\n                         Shannon Frenyea, Referencer\n\n                         Advanced Technology Division\n                         Marcus Badley, Senior Security Engineer\n\n\n\n\n                                    Better Administration of ATS Controls Can Further Protect PII\n\n                                                              Page 17\n\x0cAppendix E\nReport Distribution\n\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff\n                      Deputy Chief of Staff\n                      Executive Secretary\n                      Assistant Secretary, Legislative Affairs\n                      Assistant Secretary, Policy\n                      Assistant Secretary, Public Affairs\n                      General Counsel\n                      Office of Security\n                      Office of Privacy\n                      Chief Information Officer (CIO)\n                      Deputy CIO\n                      Chief Information Security Officer\n                      CIO, Customs and Border Protection (CBP)\n                      Deputy CIO & Information Systems Security Manager, CBP\n                      Director, Departmental Government Accountability Office/OIG Liaison\n                      Office\n                      Director, Compliance and Oversight Program\n                      Audit Liaison, CBP\n                      Audit Liaison, CIO\n                      Director, Information Security Audit Division\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n                              Better Administration of ATS Controls Can Further Protect PII\n\n                                                        Page 18\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General (OIG) at\n(202) 254-4199, fax your request to (202) 254-4305, or visit the OIG website at\nwww.dhs.gov/oig.\n\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to department programs or operations:\n\n    \xe2\x80\xa2   Call our Hotline at 1-800-323-8603;\n    \xe2\x80\xa2   Fax the complaint directly to us at (202) 254-4292;\n    \xe2\x80\xa2   Email us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2   Write to us at:\n          DHS Office of Inspector General/MAIL STOP 2600, Attention:\n          Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410,\n          Washington, DC 20528.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'